The education sector has undergone and embraced several changes in recent years due to the increased reliance on digital technologies, changing the way students learn, both in the classroom and from home. Over the last several years, having access to the internet and mobile devices evolved from a luxury to an absolute necessity.
As is the case with any industry, more technology means more sensitive data stored in online environments, making safeguarding sensitive data, and maintaining privacy more of a priority than ever. As students and teachers increasingly rely on education-specific devices and applications, those users and organizations become more of a target for hackers.
Further, the education sector is a frequent target of cyberattacks because of the wealth of data available on the students. The National Cyber Security Centre (NCSC) reported that in 2022, 78% of schools fell victim to cyberattacks, while the Department for Culture, Media and Sports reported that 39% of UK businesses identified at least one attack. Additionally, 45 U.S. school districts were hit by ransomware attacks in 2022. The Australian education sector saw a 17% increase in cyberattacks, and an average of 3,934 attacks in July, compared to the first half of 2021.
Universities are a target with specific departments focused on financial information of students, valuable research, and intellectual property that is highly sought after. Even something as simple as a school directory for K-12 students can contain personally identifiable information (PII) that could lead to the launch of an attack. Personally Identifiable Information (PII) in student information systems, student health records, and other sources can be very lucrative for cybercriminals, fetching, on average, $250 per record. Gathering of student data can be from anything like personal information to the websites that have looked at and even the keywords that they have typed onto a computer. This data clearly has a value, and cyber criminals see schools and colleges as a vulnerable place to get hold of this type of data.
Cyber threats in the education sector can largely be very similar to what you would see in the corporate environment. For example, we have seen several institutions fall victim to ransomware, including Des Moines Public Schools, Albuquerque Public Schools, Hawaii Community College, and Lincoln College, who had to permanently shut down after 157 years because of a ransomware attack. However, research has shown that a higher percentage of cyber-attacks facing educational institutions are successful compared to other industries. Why?
Why are educational institutions uniquely at risk?
Educational institutions are targeted by cybercriminals due to the valuable data they possess and the weaker cybersecurity posture. The unique challenges they face, including diverse user bases, open environments, and limited resources.
Lot of educational institutions, especially public-school systems, don’t have the cybersecurity resources available to them that the everyday corporation has. Budgets are tight and cybersecurity is expensive, making it difficult to secure environments with the typical defense tools. Educational institutions essentially operate on a small business cybersecurity budget while facing corporate-level attacks. Optimizing every dollar in the cybersecurity budget remains paramount within critical infrastructure.
Educational institutions also have a diverse and transient user base, including students, faculty, staff, and often external collaborators. The COVID-19 pandemic only further increased this diversity due to the needs of remote learning and challenges related to securing various personal devices used by students and faculty for remote access, often referred to as Bring Your Own Device (BYOD) policies. Campuses are also open environments with multiple access points, making it easier for unauthorized individuals to gain physical and network access. Managing user access, authentication and security for this dynamic group across an ever-growing list of locations and device types can be challenging and open additional vulnerabilities.
Another reason is that much like in corporate environments, is the lack of education that users including students and staff have around what cyber threats look like, and the consequences of missteps. In K-12 education, young children and even teens are much more likely to click a nefarious link or download a hazardous file from the internet, either by accident or because they don’t understand the damage that performing the action could cause. Striking the balance of security without locking resources down so much to where it becomes difficult to learn remains a substantial challenge.
Additionally, cybersecurity in the education sector requires compliance with current cybersecurity regulations. As we saw in March of this year, the Cybersecurity and Infrastructure Security Agency (CISA) proposed a new rule for covered entities within critical infrastructure to report cyber incidents within hours of their occurrence. While this may feel daunting, expedited reporting is critical for prevention, mitigation, and restoration of attacked networks.
We have also seen several educational institutions keeping IT systems accessible even during school breaks for the ease of use for teachers and students alike. Between school districts’ lack of IT and cyber staffing and the hundreds (or even thousands) of people who have access to the systems and the sensitive data they hold, these networks become a target for attackers.
Balancing complex security on the back end, simplicity on the front end, and keeping the well-being of the student at the forefront presents a unique challenge. Another aspect to keep in mind is the well-being of the student. In an air-tight online environment, it is easy for the student to feel isolated. We discuss the phenomenon of social emotional learning often, but striking the balance between freedom, digital safety, and limiting distractions remains a critical challenge.
So how do we strike the perfect balance? The first step is to adequately train teachers on identifying abnormalities and threats within the IT network. As we know, the threat landscape is ever-changing, and education on the various threats is a great place to start.
Now is a better time than ever for the education sector to bring in any applicable best practices in tailored cybersecurity solutions from the corporate world. In the rapidly changing digital era, it is a game of adapt or perish, and the responsibility is on our education organizations to ensure that students can continue to learn and grow into our future leaders of the world — leaders who understand the value of security, user privacy, and online safety. The positive impact of a secure digital environment where the students can learn fearlessly will benefit students for years to come.